Superannuation data breach highlights Australia’s growing cyber crisis

Tens of thousands of Australians were caught in a superannuation data breach, triggering fresh concern over the country’s escalating cybersecurity crisis.

The breach, which compromised access to retirement funds through multiple superannuation portals, is the latest in a national trend of rising data breaches.

Latest figures from the Office of the Australian Information Commissioner (OAIC) show that 527 data breaches were reported in the first half of 2024 – the highest number in more than three years and a nine per cent increase from the previous six-month period.

Privacy Commissioner Carly Kind told Australian Cyber Security Magazine that the scale and frequency of attacks is placing Australians at serious risk of identity theft, scams and emotional distress.

“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm,” Ms Kind said.

According to OAIC, malicious or criminal attacks were responsible for more than two-thirds of breaches, with the health sector and government departments most affected.

The MediSecure cyberattack, which exposed the medical records of 12.9 million Australians, remains the largest breach since reporting laws were introduced in 2018.

The financial impact is also rising. A recent report from the International Business Machines Corporation (IBM) found the average cost of a data breach in Australia has reached $4.26 million – up 27 per cent since 2020.

Cybersecurity expert at the University of Wollongong, Dr Khoa Nguyen said many organisations still fail to take cyber threats seriously.

“Cybersecurity isn’t just a technical problem, it’s a leadership problem,” Dr Nguyen said.

“Strong defences need to be built into culture, not just software.”

Healthcare and finance are particularly vulnerable due to the sensitivity of their data.

“Medical information can’t be changed like a password. Once it’s leaked, the impact is permanent,” Dr Nguyen said.

Despite repeated warnings, many organisations remain underprepared. The Australian Signals Directorate has cautioned that existing frameworks only set a minimum standard and urged businesses to go further.

In response, the federal government has introduced the Privacy and Other Legislation Amendment Bill, aimed at strengthening the OAIC’s enforcement powers and compelling organisations to adopt higher security standards.

But for some, the reforms are long overdue.

“It’s no longer acceptable for privacy to be an afterthought,” Ms Kind said.

“We expect entities to comply with their obligations. Australians’ personal information must be protected to the maximum extent possible.”

She warns that cyberattacks become are becoming more sophisticated.